search

SigmaHQ / sigma

Main Sigma Rule Repository
Other
7.84k stars 2.12k forks source link

Create proc_creation_win_veeam_cve_2024_29212.yml #4848

Closed prashanthpulisetti closed 1 month ago

prashanthpulisetti commented 1 month ago

Detection of Veeam Service Provider Console Vulnerability (CVE-2024-29212)

References: https://www.veeam.com/kb4575 https://www.helpnetsecurity.com/2024/05/08/cve-2024-29212/

Raw Logs:

ProcessGuid: {427dadb5-ee46-663c-7b04-asgasdgsdgswg}
ProcessId: 23423
Image: C:\Program Files\Veeam\Availability Console\CommunicationAgent\Veeam.MBP.AgentConfigurator.exe
FileVersion: 6.0.0.7739
Description: Veeam.MBP.AgentConfigurator
Product: Veeam Service Provider Console
Company: Veeam Software Group GmbH
OriginalFileName: Veeam.MBP.AgentConfigurator.exe
CommandLine: "C:\Program Files\Veeam\Availability Console\CommunicationAgent\Veeam.MBP.AgentConfigurator.exe" 
CurrentDirectory: C:\WINDOWS\System32\
User:  ABC\googlezr
LogonGuid: {427dadb5-edbf-663c-5d5f-asgasdgsdgswg}
LogonId: 0x1797F5F5D
TerminalSessionId: 11
IntegrityLevel: Medium
Hashes: MD5=48BDCC4082DBB0B59364C4EF7CC03C4E,SHA256=024771CAB3B0F52E8AFC20564FBEDC64BEB54C64D60F708238984907117BBDEC,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744
ParentProcessGuid: {427dadb5-ee2c-663c-4f04-070000002100}
ParentProcessId: 2122
ParentImage: C:\Windows\explorer.exe
ParentCommandLine: C:\WINDOWS\Explorer.EXE
ParentUser: ABC\googlezr
nasbench commented 1 month ago

Unfortunately the rule in its current state doesn't work.

The fix for the vulnerability is in the builds 7.0.0.18899 and 8.0.0.19236 which start with 7.0 and 8.0 respectively so both the fixed and vulnerable versions of Veeam Service Provider Console will be triggering this.

Also for version 5 and 6. Both have reached end of fix (see this). And assuming a fix is provided for those with support, it'll also be released in a minor builds). So we can't use those as well.

And since version comparison is hard in most SIEMs (i.e you can't use the "lt" / "gt" modifiers here).

Detecting this via this method is not a super viable option. (Best leave this to other tooling in the env such as vuln or inventory management tools as an example).

Closing this PR for now. If you have another method feel free to open a PR